cti/enterprise-attack/attack-pattern/attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d.json

{
    "type": "bundle",
    "id": "bundle--691ccf15-bff8-4abe-8796-e48fd6e33725",
    "spec_version": "2.0",
    "objects": [
        {
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "external_id": "T1041",
                    "url": "https://attack.mitre.org/techniques/T1041"
                },
                {
                    "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf",
                    "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
                    "source_name": "University of Birmingham C2"
                }
            ],
            "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
            "name": "Exfiltration Over C2 Channel",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "id": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
            "type": "attack-pattern",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "exfiltration"
                }
            ],
            "modified": "2020-03-12T15:59:47.470Z",
            "created": "2017-05-31T21:30:41.804Z",
            "x_mitre_is_subtechnique": false,
            "x_mitre_version": "2.0",
            "x_mitre_data_sources": [
                "Packet capture",
                "Process use of network",
                "Netflow/Enclave netflow",
                "Process monitoring"
            ],
            "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
            "x_mitre_network_requirements": true,
            "x_mitre_platforms": [
                "Linux",
                "macOS",
                "Windows"
            ]
        }
    ]
}